Cherish personal data

Dutch government must sharpen its priorities for the protection of privacy

The protection of personal data regards all citizens and, therefore, deserves more and explicit attention. Recently, great political and social fuss arose in the United Kingdom when it became clear that the British government had lost two cd-roms with over 23 million citizens’ sensitive personal data. The question is whether this could also have happened in the Netherlands.

In the Netherlands, in all business sectors the person is responsible for processing personal data must ensure appropriate technical and organisational protection against the loss thereof. The exact interpretation of this requirement is not provided by the legislator though. This causes a lot of obscurities in practice.

Although a general protection requirement is applicable, Dutch legislation, different from for example the United States, does not include a general obligation to notify security incidents. This is only different for certain sectors, like the telecommunications and financial sectors.

Public telecommunications providers, including internet service providers, are obliged to point out particular security and safety risks to their users in connection with the use of their services and networks on the basis of telecoms regulations. This concerns risks for which the providers are not responsible themselves. Furthermore, they must indicate in which way the users themselves can take protective measures against these risks. The Dutch legislator now wants to extend this notification obligation further and also wants to oblige public telecom providers to notify concrete incidents both to the persons involved and to a national supervisor.

On the basis of the Dutch Financial Supervision Act (Wet op het financieel toezicht)) and underlying General Administrative Orders, financial undertakings are obliged to have proper and sound business operations. This implies that they will have to take measures to prevent incidents. In the event that an incident does occur, measures must be taken to control the risks thus caused and to prevent repetition. Incidents must also be notified to the Netherlands Authority for Financial Markets (Autoriteit Financiële Markten). Although this has not been regulated explicitly, it may be assumed that this rule also applies if a large quantity of personal data goes missing.

The Dutch legislator, therefore, believes there is reason to regulate certain sectors extensively in this respect. Why this only applies to these sectors, is not clear though. If the incident in the United Kingdom has shown us something, it is that the government itself, as large-scale user of highly sensitive personal data, is a source of major risks. A number of times, the Netherlands Court of Audit (Algemene Rekenkamer) found the information protection in various ministries to be lacking – despite various adaptations. This situation has not yet changed.

We are of the opinion that Dutch politics should not limit this discussion to certain sectors. On the contrary, the nature and scope of the consequences of incidents should be taken as points of departure. In other words: the government would do well to take a look at itself first.

This is a translation of an article published in the Dutch business newspaper Het Financieele Dagblad on 11 December 2007.